Creating an Endpoint Protection Alert using System Center Orchestrator

CM 2012 does not provide a built-in method for alerting administrators when a remediation action fails for Endpoint Protection. When remediation fails, the device is still considered infected. Even more of a concern is if the infection changes Endpoint Protection settings.

This is the first of a two part series that will go over how to create an alert so that administrators can be notified when remediation fails. This part goes through the first half of creating the run-book, and next week will be the second half, and the other run-book that is required.

Background

In the Monitoring node on the CM 2012 console is a section for Endpoint Protection. If you expand this node, and select “System Center 2012 Endpoint Protection Status”, you can see a chart like this:

This chart shows you what is happening in almost real time. As you can see, I have four devices where remediation failed (ie the device is still infected) and one device where the malware modified the client settings. These are the machines we are focusing on.

By default, this chart updates every 20 minutes when Endpoint Protection summarization runs. You can set that value lower or higher by using the CM 2012 PowerShell cmdlets. Simply connect to CM 2012 using PowerShell (in the file menu of the console) and type:

To complete this runbook, your Orchestrator service account will need at least “Read-Only Analyst” in the CM 2012 console. This allows the service to execute WMI queries again CM 2012. If you want to do the query database step to grab the path of the infection, the Orchestrator service account will need “db_datareader” access to your CM 2012 database. You will also need to open port 1433 (TCP and UDP) from your Orchestrator runbook server to the server running the CM 2012 database. If you do not use the default SQL port, replace 1433 with the port number you use.

Preparing the System

For my process, I create a marker file that is the name of the device. I create this file in a share on the runbook server. You need to create this share before building the runbook. Creating the share is outside the scope of this article, but I do recommend hiding it (simply put a dollar sign ($) after the share name). Your Orchestrator service account will need Full Control rights for the share, and Read / Write / Modify NTFS rights to the folder containing the files.

When the runbook executes, it creates this file after sending the alert email. When the runbook executes again, it checks this directory for those files, and does not send another email if a file with the infected computer name exists. This is to prevent you from getting multiple emails for a single computer. I then have another runbook that runs that deletes these files once the computer is cleaned (more on that later).

Creating the Alert Runbook

Here is a picture of what your runbook will look like:

It looks complicated, but it’s actually quite simple. The items on the top line are the “essential” processes. These are what gathers the data and does the processing. The bottom line can be left out if you want. I will go through each one individually.

Find Computers with Remediation Errors

To get started, expand the “System” integration pack and drag a “Run .Net Script” activity into your workspace. Open it, click the “General” node, and give this step a name. I named mine “Find Computers with Remediation Errors”. Next, go back to the “Details” node, and set the language type to PowerShell. In the box, paste this code:

This step creates an array of all devices where the EPInfectionStatus property is set to “4”. When a device infection status is set to four, it means that remediation has failed or the client settings have been modified by the infection.

Next, click on the “Published Data” node. Click the “Add” button, and fill the box in like this:

This publishes the list of devices to the next step. The variable name field is the value you assigned to the variable, and the name field is a common name for the variable.

Check to see if Computer has Alerted Already

Drag another “Run .Net Script” activity into your workspace. Open it, give it a name, and return to the Details node. Change the language type to PowerShell, and paste the following code into the script box:

$comps = “{Computer Name from “Find Computers with Remediation Errors”}”

Delete the “{Computer Name from “Find Computers with Remediation Errors”}” part (leaving the outside quotes). In its place, right-click, go to “Subscribe”, and select “Published Data”. Select “Computer Name” from the box, and click ok. This inserts the variable. Remember this, as we will be doing this a lot through the rest of the article.

Now we need to publish some more data. Open the “Published Data” node again, select “Add”, and fill the box out like this:

This publishes the “alerted” variable to the next step, which tells the system there has already been an alert generated for this device.

Process Computer Data

Next, create another “Run .Net Script” activity. Open it, give it a name, and go to the “Details” node. Change the type to PowerShell. This the main activity in the runbook. It is what gathers all of the data needed to generate the alert email. Paste this code into the script box:

In this step, we are running three WMI queries against the CM 2012 server. The first pulls all relevant information from the SMS_CombinedDeviceResourses class. It is pulling the computer name, the resource ID of the infected client, the name of the infection, the anti-virus definition file version, the date and time of the last definition update, the date and time of the last full scan, and the date and time that the device was infected. All of this data, except for the resource ID, will be used in the email. We will need the resource ID for the query database step. All of the date and time variables are channeled through IF statements because the “ConvertToDateTime” action will error the PowerShell statement if the field is blank. I am not sure at this point why the field would be blank, but I have noticed it in some cases.

The second WMI query is pulling the primary user of the machine. It is also tunneled through an IF statement, because that value can also be a local user. This step pulls local users out, and only sends through the domain user. This is important in the “Get User” step that is coming up. Replace <domain name> with your domain name.

Finally, the third WMI query is pulling the IP address(es). This is piped through an IF statement also to strip off non-company IP addresses that get stored in CM 2012. Replace <first two octets of IP range> with the first two sets of numbers from your organization’s IP range. Make sure you keep the “.*” as is. It would appear that this section would form an array if a computer has a wired and wireless card. Because we do not have $ippub = @(), the array is never actually formed. If you actually type this into PowerShell and view the output, it will look similar to “192.168.2.3192.168.2.4”. This is the purpose of the next item. We will split these into two sections. It is important that this step is not an array, because Orchestrator recognizes an array and splits it into separate jobs, which would create two emails for one computer. This
process (not adding $ippub = @()), essentially “flattens” the array.

Now we need to set up our published data. If you go to the “Published Data”, set it up like this using the same method from above:

To finish this action, we need to modify the connection between “Check to see if computer has already alerted” and “Process Computer Data”. If you double-click on the arrow connecting the two, you get a box like this:

If you click on “Check to see if computer has alerted already”, you select “alerted”. Once you do that, the statement changes so that it will only proceed if “alerted” equals some value. You specify this value by clicking on “value”. Put a value of No in this box. Once complete, it should look like this:

This concludes this part of the series. Next week we will talk about the second half of this runbook, and the runbook that removes the markers when created.

Silver Sponsors

Download all the System Center 2012 bits!

Bronze Sponsors

Our friends over at WinBeta have released a video that shows off the integration between Project Spartan and Cortana in a future build of Windows 10. Of course, it sparks some ideas for how Cortana can be further integrated into the upcoming OS. read more […]

Previously, the only way to measure cycling activity was to use the running tile on the Band which worked fine but still lacked the kind of information that differentiates the two activities. I take the Band out on a bike ride using the new cycling tile to show you the differences. read more […]

We have seen a steady pace of monthly updates for the Xbox One console through that consoles preview program since early in 2014 and it appears Xbox 360 users are about to get their turn. read more […]

We want to know more about your use--past, present and future--of PowerShell. I've been using PowerShell, and the new features make me want to expand my use of the system. I've been using PowerShell, but the new features aren't making me stand up and take notice. I have never used PowerShell, but the new features make me want to use it now. I […]

Microsoft is well-known for using native data protection (aka "no backups") for Office 365. Exchange mailbox data is protected by using four database copies spread across two datacenters and the full array of features like Single Item Recovery, single page patching, and automatic reseed is used to ensure that mailboxes stay online all the time. Ton […]

Hello, I have to use CI in SCCM 2012 to check for a registry based control. Condition is like that control will be complaint either if a key doesn’t exist OR if exist the value of the key should be 0. I created 2 different CI, as I don’t see […]

I'm seeing conflicting information from Microsoft's marketing videos and TechNet. Some of the Demo videos from marketing indicate that SQL Server Enterprise is required for the MBAM Recovery database, but the TechNet Article lists that Standard is also s […]

Does anyone have a link to how IIS should be configured on Server 2003 for the DP role? We are using the same DP servers from our SCCM 2007 environment and they functioned correctly. After we introduced SCCM 2012 we mirgrated the DP role over […]

Hey guys, I'm looking for a query which will report back the patching compliance percentage of each machine. I've seen other queries which report back the number of missing patches against each machine, but is there a way to see a compliance percentage? […]

I was wondering if there is anyway to customize the message on the notification when using remote tools? Currently it is a grenn bar that says the user that is connected I would like to keep the bar but change what it says. Thanks […]